Full Disclosure mailing list archives
Mozilla extensions: a security nightmare (part 2)
From: "Stefan Kanthak" <stefan.kanthak () nexgo de>
Date: Tue, 13 Oct 2015 21:14:30 +0200
Hi @ll, Mozilla Firefox 38 (both standard and ESR) and newer installs and per default activates Cisco's OpenH264 video codec; see <about:plugins> Firefox 33 to 37 downloaded this codec and installed it on demand; see <http://blogs.cisco.com/collaboration/ciscos-openh264-now-part-of-firefox> This extension comes as "Gecko media plugin"[*]; for Windows it is implemented as DLL ... and installed into the Firefox profiles (which are stored beneath "%APPDATA%" in Windows). This is a fundamental design flaw of (not only) Mozilla's extensions, and a security nightmare. Code installed in "%APPDATA%" (or any other user-writable location) is not protected against tampering, it can be overwritten by the unprivileged user (or malware running with the users credentials): a modified "gmpopenh264.dll" may be loaded by Mozilla Firefox and it's DllMain() routine executed. Once again Mozilla's bad habits break a security boundary and violate one of the mandatory and basic requirements of the now 20 year old "Designed for Windows" guidelines: applications (more precise: their executable code) must be installed in "%ProgramFiles%" where they are protected against tampering by unprivileged users (and of course malware running in their user accounts too) since only privileged users can write there. JFTR: ~~~~~ * there is ABSOLUTELY NO NEED to create a directory "gmp-openh264\1.4" in EVERY Firefox profile and copy "gmpopenh264.dll" into it: * the other "Gecko media plugin" distributed with Mozilla Firefox is installed in "%ProgramFiles\Mozilla Firefox\gmp-clearkey\0.1" * "clearkey.dll" is digitally signed by Mozilla; * "gmpopenh264.dll" is but NOT digitally signed! [*] see <https://wiki.mozilla.org/GeckoMediaPlugins> Mitigations: ~~~~~~~~~~~~ 0) until Mozilla starts to develop a sense for (their users) safety and security and installs (a digitally signed) "gmpopenh264.dll" in "%ProgramFiles\Mozilla Firefox\gmp-openh264\1.4" stay away from their products! 1) if you can't, open <about:config> and edit/set media.gmp-gmpopenh264.provider.enabled to false You have to set this preference in ALL Mozilla profiles! 2) fortunately there's but a global preference too: a) create a text file "presets.js" in the installation directory of Mozilla Firefox (typically "%ProgramFiles%\Mozilla Firefox\") and add the following lines: defaultPref("media.gmp-gmpopenh264.enabled", false); defaultPref("media.gmp-gmpopenh264.provider.enabled", false); b) create a subdirectory "\Defaults\Prefs\" in the installation directory. c) create a text file "local-settings.js" in this subdirectory and add the following lines: pref("general.config.filename", "presets.js"); pref("general.config.obscure_value", 0); This file lets Mozilla Firefox use the "presets.js" created before. 3) if you generally don't want executables stored in (Windows) user profiles to be run, use one or both of the following techniques: a) enable SAFER alias Software Protection Policy or AppLocker and create a rule to deny execution in "%USERPROFILE%" and below. b) add the inheritable NTFS ACE "(D;OIIO;WP;;;WD)"[*] to every "%USERPROFILE%" and "%ALLUSERSPROFILE%" alias "%ProgramData". Yes, this stops self-extracting installers which unpack their payload to %TEMP%; but these are flawed per concept too! If you need to support such crap, consider to remove the USER environment variables %TEMP% and %TMP% of the administrator account. The administrator will then use the systems %TEMP% alias %SystemRoot%\Temp [*] this is the SDDL notation for "deny execution of files in this directory and its subdirectories for all users" stay tuned Stefan Kanthak PS: see <http://seclists.org/fulldisclosure/2015/Aug/7> if you missed part 1 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Mozilla extensions: a security nightmare (part 2) Stefan Kanthak (Oct 13)